Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
02-01-2022 13:21
Static task
static1
Behavioral task
behavioral1
Sample
open__with_Pass__1234.exe
Resource
win7-en-20211208
General
-
Target
open__with_Pass__1234.exe
-
Size
2.2MB
-
MD5
fee1fdf36972ab6f9c6f4b9f51b08029
-
SHA1
dede9e00a4dee0ca1580815b25fba6639ce60a75
-
SHA256
1a7b82468f3a677663daab8f8142ff99cf65465d6a772f71c655b55f05395303
-
SHA512
85965d45a3eebc013e0b0f618dec95fab1201f46ec862045aff5ffe7b17ebee70671cdcbdea439a8d4e7064f5e164cddc7dd108355807db8abf64f160d1e2d8d
Malware Config
Extracted
cryptbot
hevuto75.top
morhmu07.top
-
payload_url
http://kyrolk10.top/download.php?file=aswirl.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 608 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
open__with_Pass__1234.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString open__with_Pass__1234.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 open__with_Pass__1234.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 532 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
open__with_Pass__1234.execmd.exedescription pid process target process PID 1704 wrote to memory of 608 1704 open__with_Pass__1234.exe cmd.exe PID 1704 wrote to memory of 608 1704 open__with_Pass__1234.exe cmd.exe PID 1704 wrote to memory of 608 1704 open__with_Pass__1234.exe cmd.exe PID 1704 wrote to memory of 608 1704 open__with_Pass__1234.exe cmd.exe PID 608 wrote to memory of 532 608 cmd.exe timeout.exe PID 608 wrote to memory of 532 608 cmd.exe timeout.exe PID 608 wrote to memory of 532 608 cmd.exe timeout.exe PID 608 wrote to memory of 532 608 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\open__with_Pass__1234.exe"C:\Users\Admin\AppData\Local\Temp\open__with_Pass__1234.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\HXihQHQkCaO & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\open__with_Pass__1234.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/532-58-0x0000000000000000-mapping.dmp
-
memory/608-57-0x0000000000000000-mapping.dmp
-
memory/1704-54-0x0000000076001000-0x0000000076003000-memory.dmpFilesize
8KB
-
memory/1704-55-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/1704-56-0x00000000006B0000-0x00000000006F8000-memory.dmpFilesize
288KB